tjr@ihnet.ATT.COM (Tom Roberts) (08/03/87)
There are some problems with public key encryption which I do NOT believe have been adequately addressed: 1) How does a user KNOW that the correct (i.e. uncompromised) public key is being used. This is crucial to the entire system. If anybody (e.g. SYSOP) can modify the keys contained in the key server, they can then read the mail, or masquerade as someone else. Of course, the recipient will decrypt garbage, or the deception will eventually be discovered, but the damage has already been done. 2) How are keys selected? I know of no adequate method using psuedo-random number generators. Using the current date+time[+...] as a seed is hopeless. Using a "random" string entered by the user is better, but is still not perfect. Requiring the user to have a "true" random number generator is not feasible. Remember, the "seed space" for the key generator is the REAL "key space" which must be searched by a cracker; the 1000-bit secret key is merely an intermediate result determined by the key generator (but it, too, is vulnerable, so you need a good algorithim which makes the secret key uncomputable from the public key - see 3 below). 3) How secure is the algorithm (i.e. how "difficult" is it to determine the secret key, given the public key and the algorithm) ? There have been recent advances described in the unclassified literature which affect the popular algorithms. Public key encryption (or any type of encryption) can make the reading of mail by non-authorized people non-trivial. A general, system-wide implementation of any type of system is also non-trivial, even difficult. Key management is where most systems fall down; contrary to statements made in the "popular" press, public key techniques DO NOT solve the problems, but merely move them to a different arena. The level of "non-trivialness" depends heavily upon system design and implementation; strong algorithms do not necessarily make strong systems - much more is involved. Note the danger: users tend to believe that encryption systems are invulnerable (c.f. all of the anecdotes about WW2, in which German and Japanese systems were utterly broken, but they retained their blind belief they were secure). It is entirely possible that a moderately-strong system will be WORSE than no system, because it will engender a false sense of security in the users. Tom Roberts ihnp4!ihnet!tjr
galvin@udel.EDU (James M Galvin) (08/03/87)
In article <562@ihnet.ATT.COM> tjr@ihnet.ATT.COM (Tom Roberts) writes: >1) How does a user KNOW that the correct (i.e. uncompromised) public key > is being used. You go on to point out that if the key is modified, then the recipient will see garbage upon attempting to decrypt the message. But this is not the serious problem. As I pointed out before, it is the fact that an eavesdropper can learn your key and substitute his/her own in its place. Then the privacy of all communication is lost, without your knowledge. Jim -- James M Galvin